-
Notifications
You must be signed in to change notification settings - Fork 163
/
pspawn_payload.m
243 lines (204 loc) · 7.38 KB
/
pspawn_payload.m
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
#include <dlfcn.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <spawn.h>
#include <sys/types.h>
#include <errno.h>
#include <stdlib.h>
#include <sys/sysctl.h>
#include <dlfcn.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <pthread.h>
#include <Foundation/Foundation.h>
#include "fishhook.h"
#include "common.h"
#include <xpc/xpc.h>
#include "libjailbreak_xpc.h"
#ifdef PSPAWN_PAYLOAD_DEBUG
#define LAUNCHD_LOG_PATH "/tmp/pspawn_payload_launchd.log"
// XXX multiple xpcproxies opening same file
// XXX not closing logfile before spawn
#define XPCPROXY_LOG_PATH "/tmp/pspawn_payload_xpcproxy.log"
FILE *log_file;
#define DEBUGLOG(fmt, args...)\
do {\
if (log_file == NULL) {\
log_file = fopen((current_process == PROCESS_LAUNCHD) ? LAUNCHD_LOG_PATH : XPCPROXY_LOG_PATH, "a"); \
if (log_file == NULL) break; \
} \
fprintf(log_file, fmt "\n", ##args); \
fflush(log_file); \
} while(0)
#else
#define DEBUGLOG(fmt, args...)
#endif
#define PSPAWN_PAYLOAD_DYLIB "/bootstrap/pspawn_payload.dylib"
#define AMFID_PAYLOAD_DYLIB "/bootstrap/amfid_payload.dylib"
#define SBINJECT_PAYLOAD_DYLIB "/usr/lib/SBInject.dylib"
// since this dylib should only be loaded into launchd and xpcproxy
// it's safe to assume that we're in xpcproxy if getpid() != 1
enum currentprocess {
PROCESS_LAUNCHD,
PROCESS_XPCPROXY,
};
int current_process = PROCESS_XPCPROXY;
const char* xpcproxy_blacklist[] = {
"com.apple.diagnosticd", // syslog
"com.apple.ReportCrash", // crash reporting
"MTLCompilerService", // ?_?
"OTAPKIAssetTool", // h_h
"cfprefsd", // o_o
"jailbreakd", // don't inject into jbd since we'd have to call to it
NULL
};
typedef int (*pspawn_t)(pid_t * pid, const char* path, const posix_spawn_file_actions_t *file_actions, posix_spawnattr_t *attrp, char const* argv[], const char* envp[]);
pspawn_t old_pspawn, old_pspawnp;
int fake_posix_spawn_common(pid_t * pid, const char* path, const posix_spawn_file_actions_t *file_actions, posix_spawnattr_t *attrp, char const* argv[], const char* envp[], pspawn_t old) {
DEBUGLOG("We got called (fake_posix_spawn)! %s", path);
const char *inject_me = NULL;
if (current_process == PROCESS_LAUNCHD) {
if (strcmp(path, "/usr/libexec/xpcproxy") == 0) {
inject_me = PSPAWN_PAYLOAD_DYLIB;
const char* startd = argv[1];
if (startd != NULL) {
const char **blacklist = xpcproxy_blacklist;
while (*blacklist) {
if (strstr(startd, *blacklist)) {
DEBUGLOG("xpcproxy for '%s' which is in blacklist, not injecting", startd);
inject_me = NULL;
break;
}
++blacklist;
}
}
}
} else if (current_process == PROCESS_XPCPROXY) {
// XXX inject both SBInject & amfid payload into amfid?
// note: DYLD_INSERT_LIBRARIES=libfoo1.dylib:libfoo2.dylib
if (strcmp(path, "/usr/libexec/amfid") == 0) {
DEBUGLOG("Starting amfid -- special handling");
inject_me = AMFID_PAYLOAD_DYLIB;
} else {
inject_me = SBINJECT_PAYLOAD_DYLIB;
}
}
// XXX log different err on inject_me == NULL and nonexistent inject_me
if (inject_me == NULL || !file_exist(inject_me)) {
DEBUGLOG("Nothing to inject");
return old(pid, path, file_actions, attrp, argv, envp);
}
DEBUGLOG("Injecting %s into %s", inject_me, path);
#ifdef PSPAWN_PAYLOAD_DEBUG
if (argv != NULL){
DEBUGLOG("Args: ");
const char** currentarg = argv;
while (*currentarg != NULL){
DEBUGLOG("\t%s", *currentarg);
currentarg++;
}
}
#endif
int envcount = 0;
if (envp != NULL){
DEBUGLOG("Env: ");
const char** currentenv = envp;
while (*currentenv != NULL){
DEBUGLOG("\t%s", *currentenv);
if (strstr(*currentenv, "DYLD_INSERT_LIBRARIES") == NULL) {
envcount++;
}
currentenv++;
}
}
char const** newenvp = malloc((envcount+2) * sizeof(char **));
int j = 0;
for (int i = 0; i < envcount; i++){
if (strstr(envp[j], "DYLD_INSERT_LIBRARIES") != NULL){
continue;
}
newenvp[i] = envp[j];
j++;
}
char *envp_inject = malloc(strlen("DYLD_INSERT_LIBRARIES=") + strlen(inject_me) + 1);
envp_inject[0] = '\0';
strcat(envp_inject, "DYLD_INSERT_LIBRARIES=");
strcat(envp_inject, inject_me);
newenvp[j] = envp_inject;
newenvp[j+1] = NULL;
#if PSPAWN_PAYLOAD_DEBUG
DEBUGLOG("New Env:");
const char** currentenv = newenvp;
while (*currentenv != NULL){
DEBUGLOG("\t%s", *currentenv);
currentenv++;
}
#endif
posix_spawnattr_t attr;
posix_spawnattr_t *newattrp = &attr;
if (attrp) {
newattrp = attrp;
short flags;
posix_spawnattr_getflags(attrp, &flags);
flags |= POSIX_SPAWN_START_SUSPENDED;
posix_spawnattr_setflags(attrp, flags);
} else {
posix_spawnattr_init(&attr);
posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED);
}
int origret;
#define FLAG_ATTRIBUTE_XPCPROXY (1 << 17)
if (current_process == PROCESS_XPCPROXY) {
// dont leak logging fd into execd process
#ifdef PSPAWN_PAYLOAD_DEBUG
if (log_file != NULL) {
fclose(log_file);
log_file = NULL;
}
#endif
jb_oneshot_entitle_now(getpid(), FLAG_ENTITLE | FLAG_PLATFORMIZE | FLAG_SANDBOX | FLAG_SIGCONT | FLAG_WAIT_EXEC | FLAG_ATTRIBUTE_XPCPROXY);
// dont leak jbd fd into execd process
origret = old(pid, path, file_actions, newattrp, argv, newenvp);
} else {
int gotpid;
origret = old(&gotpid, path, file_actions, newattrp, argv, newenvp);
if (origret == 0) {
if (pid != NULL) *pid = gotpid;
calljailbreakd(gotpid, JAILBREAKD_COMMAND_ENTITLE_AND_SIGCONT);
}
}
return origret;
}
int fake_posix_spawn(pid_t * pid, const char* file, const posix_spawn_file_actions_t *file_actions, posix_spawnattr_t *attrp, const char* argv[], const char* envp[]) {
return fake_posix_spawn_common(pid, file, file_actions, attrp, argv, envp, old_pspawn);
}
int fake_posix_spawnp(pid_t * pid, const char* file, const posix_spawn_file_actions_t *file_actions, posix_spawnattr_t *attrp, const char* argv[], const char* envp[]) {
return fake_posix_spawn_common(pid, file, file_actions, attrp, argv, envp, old_pspawnp);
}
void rebind_pspawns(void) {
struct rebinding rebindings[] = {
{"posix_spawn", (void *)fake_posix_spawn, (void **)&old_pspawn},
{"posix_spawnp", (void *)fake_posix_spawnp, (void **)&old_pspawnp},
};
rebind_symbols(rebindings, 2);
}
void* thd_func(void* arg){
NSLog(@"In a new thread!");
rebind_pspawns();
return NULL;
}
__attribute__ ((constructor))
static void ctor(void) {
if (getpid() == 1) {
current_process = PROCESS_LAUNCHD;
pthread_t thd;
pthread_create(&thd, NULL, thd_func, NULL);
} else {
current_process = PROCESS_XPCPROXY;
rebind_pspawns();
}
}